mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-03 01:13:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #6955 from inorick/nofa_no_session_tickets

Browse Source 
Guard ticket specific TLS 1.3 function with macro
This commit is contained in:
Manuel Pégourié-Gonnard 2024-04-08 08:56:17 +00:00 committed by GitHub
commit a4b773d3bb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 226 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/tls13-without-tickets.txt Normal file
View File

@ -0,0 +1,3 @@
Bugfix
* Fix TLS 1.3 client build and runtime when support for session tickets is
disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395.

54
include/mbedtls/ssl.h
View File

@ -3216,16 +3216,16 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
* a full handshake.
*
* \note This function can handle a variety of mechanisms for session
* resumption: For TLS 1.2, both session ID-based resumption and
* ticket-based resumption will be considered. For TLS 1.3,
* once implemented, sessions equate to tickets, and loading
* one or more sessions via this call will lead to their
* corresponding tickets being advertised as resumption PSKs
* by the client.
*
* \note Calling this function multiple times will only be useful
* once TLS 1.3 is supported. For TLS 1.2 connections, this
* function should be called at most once.
* resumption: For TLS 1.2, both session ID-based resumption
* and ticket-based resumption will be considered. For TLS 1.3,
* sessions equate to tickets, and loading one session by
* calling this function will lead to its corresponding ticket
* being advertised as resumption PSK by the client. This
* depends on session tickets being enabled (see
* #MBEDTLS_SSL_SESSION_TICKETS configuration option) though.
* If session tickets are disabled, a call to this function
* with a TLS 1.3 session, will not have any effect on the next
* handshake for the SSL context \p ssl.
*
* \param ssl The SSL context representing the connection which should
* be attempted to be setup using session resumption. This
@ -3240,9 +3240,10 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
*
* \return \c 0 if successful.
* \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session
* could not be loaded because of an implementation limitation.
* This error is non-fatal, and has no observable effect on
* the SSL context or the session that was attempted to be loaded.
* could not be loaded because one session has already been
* loaded. This error is non-fatal, and has no observable
* effect on the SSL context or the session that was attempted
* to be loaded.
* \return Another negative error code on other kinds of failure.
*
* \sa mbedtls_ssl_get_session()
@ -3309,8 +3310,16 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
* to determine the necessary size by calling this function
* with \p buf set to \c NULL and \p buf_len to \c 0.
*
* \note For TLS 1.3 sessions, this feature is supported only if the
* MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled,
* as in TLS 1.3 session resumption is possible only with
* tickets.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
* \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the
* MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled
* and the session is a TLS 1.3 session.
*/
int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
unsigned char *buf,
@ -4837,23 +4846,16 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl
* \note This function can handle a variety of mechanisms for session
* resumption: For TLS 1.2, both session ID-based resumption and
* ticket-based resumption will be considered. For TLS 1.3,
* once implemented, sessions equate to tickets, and calling
* this function multiple times will export the available
* tickets one a time until no further tickets are available,
* in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will
* be returned.
*
* \note Calling this function multiple times will only be useful
* once TLS 1.3 is supported. For TLS 1.2 connections, this
* function should be called at most once.
* sessions equate to tickets, and if session tickets are
* enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration
* option), this function exports the last received ticket and
* the exported session may be used to resume the TLS 1.3
* session. If session tickets are disabled, exported sessions
* cannot be used to resume a TLS 1.3 session.
*
* \return \c 0 if successful. In this case, \p session can be used for
* session resumption by passing it to mbedtls_ssl_set_session(),
* and serialized for storage via mbedtls_ssl_session_save().
* \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session
* is available for export.
* This error is a non-fatal, and has no observable effect on
* the SSL context or the destination session.
* \return Another negative error code on other kinds of failure.
*
* \sa mbedtls_ssl_set_session()

33
library/ssl_msg.c
View File

@ -5570,9 +5570,9 @@ static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_CLI_C)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
static int ssl_tls13_is_new_session_ticket(mbedtls_ssl_context *ssl)
{
if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) ||
@ -5580,15 +5580,9 @@ static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
return 0;
}
ssl->keep_current_message = 1;
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
mbedtls_ssl_handshake_set_state(ssl,
MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
return MBEDTLS_ERR_SSL_WANT_READ;
return 1;
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#endif /* MBEDTLS_SSL_CLI_C */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
@ -5596,14 +5590,23 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message"));
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_CLI_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
int ret = ssl_tls13_check_new_session_ticket(ssl);
if (ret != 0) {
return ret;
if (ssl_tls13_is_new_session_ticket(ssl)) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
ssl->keep_current_message = 1;
mbedtls_ssl_handshake_set_state(ssl,
MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
return MBEDTLS_ERR_SSL_WANT_READ;
#else
MBEDTLS_SSL_DEBUG_MSG(3, ("Ignore NewSessionTicket, not supported."));
return 0;
#endif
}
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
#endif /* MBEDTLS_SSL_CLI_C */
/* Fail in all other cases. */
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;

11
library/ssl_tls.c
View File

@ -1760,6 +1760,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
@ -1770,6 +1771,14 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
session->ciphersuite));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
#else
/*
* If session tickets are not enabled, it is not possible to resume a
* TLS 1.3 session, thus do not make any change to the SSL context in
* the first place.
*/
return 0;
#endif
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
@ -4049,7 +4058,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
}
static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
unsigned char *buf,
const unsigned char *buf,
size_t buf_len)
{
((void) session);

2
library/ssl_tls13_client.c
View File

@ -666,6 +666,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
return 0;
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
@ -678,7 +679,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
return PSA_ALG_NONE;
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_session *session = ssl->session_negotiate;

6
library/ssl_tls13_server.c
View File

@ -172,12 +172,12 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
#define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1
#define SSL_TLS1_3_PSK_IDENTITY_MATCH 0
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_offered_psks_check_identity_match_ticket(
mbedtls_ssl_context *ssl,
@ -575,10 +575,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(
psa_algorithm_t psk_hash_alg;
int allowed_key_exchange_modes;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_session session;
mbedtls_ssl_session_init(&session);
#endif
MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
@ -3109,6 +3107,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
return 0;
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
/*
* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
*/
@ -3138,7 +3137,6 @@ static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ss
return SSL_NEW_SESSION_TICKET_WRITE;
}
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
unsigned char *ticket_nonce,

31
tests/opt-testcases/tls13-misc.sh
View File

@ -813,6 +813,7 @@ run_test "TLS 1.3 m->m: resumption, cli/tkt kex modes psk_all/psk_all" \
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
@ -826,6 +827,20 @@ run_test "TLS 1.3 m->O: resumption" \
-c "Reconnecting with saved session... ok" \
-c "HTTP/1.0 200 ok"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS
run_test "TLS 1.3 m->O: resumption fails, no ticket support" \
"$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 1" \
"$P_CLI debug_level=3 reco_mode=1 reconnect=1" \
1 \
-c "Protocol is TLSv1.3" \
-C "Saving session for reuse... ok" \
-C "Reconnecting with saved session... ok" \
-c "Ignore NewSessionTicket, not supported."
# No early data m->O tests for the time being. The option -early_data is needed
# to enable early data on OpenSSL server and it is not compatible with the
# -www option we usually use for testing with OpenSSL server (see
@ -858,6 +873,7 @@ run_test "TLS 1.3 m->O: resumption with early data" \
requires_gnutls_tls1_3
requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
@ -875,6 +891,21 @@ requires_gnutls_tls1_3
requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_disabled MBEDTLS_SSL_SESSION_TICKETS
run_test "TLS 1.3 m->G: resumption fails, no ticket support" \
"$G_NEXT_SRV -d 5 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \
"$P_CLI debug_level=3 reco_mode=1 reconnect=1" \
1 \
-c "Protocol is TLSv1.3" \
-C "Saving session for reuse... ok" \
-C "Reconnecting with saved session... ok" \
-c "Ignore NewSessionTicket, not supported."
requires_gnutls_tls1_3
requires_all_configs_enabled MBEDTLS_SSL_CLI_C \
MBEDTLS_SSL_SESSION_TICKETS MBEDTLS_HAVE_TIME \
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384

13
tests/scripts/all.sh
View File

@ -6061,6 +6061,19 @@ component_test_tls13_no_compatibility_mode () {
tests/ssl-opt.sh
}
component_test_full_minus_session_tickets() {
msg "build: full config without session tickets"
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS
scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: full config without session tickets"
make test
msg "ssl-opt.sh (full config without session tickets)"
tests/ssl-opt.sh
}
component_build_mingw () {
msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s
make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs

48
tests/src/test_helpers/ssl_helpers.c
View File

@ -1791,30 +1791,33 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session,
session->endpoint = endpoint_type == MBEDTLS_SSL_IS_CLIENT ?
MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER;
session->ciphersuite = 0xabcd;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
session->ticket_age_add = 0x87654321;
session->ticket_flags = 0x7;
session->resumption_key_len = 32;
memset(session->resumption_key, 0x99, sizeof(session->resumption_key));
#if defined(MBEDTLS_SSL_EARLY_DATA)
session->max_early_data_size = 0x87654321;
#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C)
int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample");
if (ret != 0) {
return -1;
}
#endif /* MBEDTLS_SSL_ALPN && MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_EARLY_DATA */
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
session->ticket_creation_time = mbedtls_ms_time() - 42;
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
int ret = mbedtls_ssl_session_set_ticket_alpn(session, "ALPNExample");
if (ret != 0) {
return -1;
}
#endif
#if defined(MBEDTLS_HAVE_TIME)
session->ticket_creation_time = mbedtls_ms_time() - 42;
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
}
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_CLI_C)
if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_HAVE_TIME)
session->ticket_reception_time = mbedtls_ms_time() - 40;
#endif
@ -1828,9 +1831,22 @@ int mbedtls_test_ssl_tls13_populate_session(mbedtls_ssl_session *session,
}
memset(session->ticket, 33, ticket_len);
}
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
char hostname[] = "hostname example";
session->hostname = mbedtls_calloc(1, sizeof(hostname));
if (session->hostname == NULL) {
return -1;
}
memcpy(session->hostname, hostname, sizeof(hostname));
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
}
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_EARLY_DATA)
session->max_early_data_size = 0x87654321;
#endif /* MBEDTLS_SSL_EARLY_DATA */
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
session->record_size_limit = 2048;
#endif

54
tests/ssl-opt.sh
View File

@ -3731,6 +3731,7 @@ run_test "CBC Record splitting: TLS 1.2, no splitting" \
# Tests for Session Tickets
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: basic" \
"$P_SRV debug_level=3 tickets=1" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3745,6 +3746,7 @@ run_test "Session resume using tickets: basic" \
-s "a session has been resumed" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: manual rotation" \
"$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3759,6 +3761,7 @@ run_test "Session resume using tickets: manual rotation" \
-s "a session has been resumed" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: cache disabled" \
"$P_SRV debug_level=3 tickets=1 cache_max=0" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3773,6 +3776,7 @@ run_test "Session resume using tickets: cache disabled" \
-s "a session has been resumed" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: timeout" \
"$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_delay=2000" \
@ -3787,6 +3791,7 @@ run_test "Session resume using tickets: timeout" \
-S "a session has been resumed" \
-C "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: session copy" \
"$P_SRV debug_level=3 tickets=1 cache_max=0" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
@ -3802,6 +3807,7 @@ run_test "Session resume using tickets: session copy" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: openssl server" \
"$O_SRV -tls1_2" \
"$P_CLI debug_level=3 tickets=1 reconnect=1" \
@ -3812,6 +3818,7 @@ run_test "Session resume using tickets: openssl server" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: openssl client" \
"$P_SRV debug_level=3 tickets=1" \
"( $O_CLI -sess_out $SESSION; \
@ -3825,6 +3832,7 @@ run_test "Session resume using tickets: openssl client" \
-s "a session has been resumed"
requires_cipher_enabled "AES" "GCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: AES-128-GCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-GCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3840,6 +3848,7 @@ run_test "Session resume using tickets: AES-128-GCM" \
-c "a session has been resumed"
requires_cipher_enabled "AES" "GCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: AES-192-GCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-GCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3855,6 +3864,7 @@ run_test "Session resume using tickets: AES-192-GCM" \
-c "a session has been resumed"
requires_cipher_enabled "AES" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: AES-128-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3870,6 +3880,7 @@ run_test "Session resume using tickets: AES-128-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "AES" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: AES-192-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3885,6 +3896,7 @@ run_test "Session resume using tickets: AES-192-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "AES" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: AES-256-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=AES-256-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3900,6 +3912,7 @@ run_test "Session resume using tickets: AES-256-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "CAMELLIA" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: CAMELLIA-128-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-128-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3915,6 +3928,7 @@ run_test "Session resume using tickets: CAMELLIA-128-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "CAMELLIA" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: CAMELLIA-192-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-192-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3930,6 +3944,7 @@ run_test "Session resume using tickets: CAMELLIA-192-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "CAMELLIA" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: CAMELLIA-256-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-256-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3945,6 +3960,7 @@ run_test "Session resume using tickets: CAMELLIA-256-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "ARIA" "GCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: ARIA-128-GCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-GCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3960,6 +3976,7 @@ run_test "Session resume using tickets: ARIA-128-GCM" \
-c "a session has been resumed"
requires_cipher_enabled "ARIA" "GCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: ARIA-192-GCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-GCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3975,6 +3992,7 @@ run_test "Session resume using tickets: ARIA-192-GCM" \
-c "a session has been resumed"
requires_cipher_enabled "ARIA" "GCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: ARIA-256-GCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-GCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3990,6 +4008,7 @@ run_test "Session resume using tickets: ARIA-256-GCM" \
-c "a session has been resumed"
requires_cipher_enabled "ARIA" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: ARIA-128-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4005,6 +4024,7 @@ run_test "Session resume using tickets: ARIA-128-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "ARIA" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: ARIA-192-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4020,6 +4040,7 @@ run_test "Session resume using tickets: ARIA-192-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "ARIA" "CCM"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: ARIA-256-CCM" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-CCM" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4035,6 +4056,7 @@ run_test "Session resume using tickets: ARIA-256-CCM" \
-c "a session has been resumed"
requires_cipher_enabled "CHACHA20"
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets: CHACHA20-POLY1305" \
"$P_SRV debug_level=3 tickets=1 ticket_aead=CHACHA20-POLY1305" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4052,6 +4074,7 @@ run_test "Session resume using tickets: CHACHA20-POLY1305" \
# Tests for Session Tickets with DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets, DTLS: basic" \
"$P_SRV debug_level=3 dtls=1 tickets=1" \
"$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
@ -4067,6 +4090,7 @@ run_test "Session resume using tickets, DTLS: basic" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets, DTLS: cache disabled" \
"$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
"$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
@ -4082,6 +4106,7 @@ run_test "Session resume using tickets, DTLS: cache disabled" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets, DTLS: timeout" \
"$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
"$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2000" \
@ -4097,6 +4122,7 @@ run_test "Session resume using tickets, DTLS: timeout" \
-C "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets, DTLS: session copy" \
"$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
"$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \
@ -4112,6 +4138,7 @@ run_test "Session resume using tickets, DTLS: session copy" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets, DTLS: openssl server" \
"$O_SRV -dtls" \
"$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
@ -4125,6 +4152,7 @@ run_test "Session resume using tickets, DTLS: openssl server" \
# probability with OpenSSL 1.0.2g on the CI, see #5012.
requires_openssl_next
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using tickets, DTLS: openssl client" \
"$P_SRV dtls=1 debug_level=3 tickets=1" \
"( $O_NEXT_CLI -dtls -sess_out $SESSION; \
@ -4140,6 +4168,7 @@ run_test "Session resume using tickets, DTLS: openssl client" \
# Tests for Session Resume based on session-ID and cache
requires_config_enabled MBEDTLS_SSL_CACHE_C
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using cache: tickets enabled on client" \
"$P_SRV debug_level=3 tickets=0" \
"$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4155,6 +4184,7 @@ run_test "Session resume using cache: tickets enabled on client" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_CACHE_C
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using cache: tickets enabled on server" \
"$P_SRV debug_level=3 tickets=1" \
"$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \
@ -4246,6 +4276,7 @@ run_test "Session resume using cache: session copy" \
-c "a session has been resumed"
requires_config_enabled MBEDTLS_SSL_CACHE_C
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using cache: openssl client" \
"$P_SRV force_version=tls12 debug_level=3 tickets=0" \
"( $O_CLI -sess_out $SESSION; \
@ -4295,6 +4326,7 @@ run_test "Session resume and connection ID" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CACHE_C
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using cache, DTLS: tickets enabled on client" \
"$P_SRV dtls=1 debug_level=3 tickets=0" \
"$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
@ -4311,6 +4343,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CACHE_C
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using cache, DTLS: tickets enabled on server" \
"$P_SRV dtls=1 debug_level=3 tickets=1" \
"$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
@ -4396,6 +4429,7 @@ run_test "Session resume using cache, DTLS: session copy" \
requires_openssl_next
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_CACHE_C
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Session resume using cache, DTLS: openssl client" \
"$P_SRV dtls=1 debug_level=3 tickets=0" \
"( $O_NEXT_CLI -dtls -sess_out $SESSION; \
@ -6656,6 +6690,7 @@ run_test "Non-blocking I/O: client auth" \
-c "Read from server: .* bytes read"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Non-blocking I/O: ticket" \
"$P_SRV nbio=2 tickets=1 auth_mode=none" \
"$P_CLI nbio=2 tickets=1" \
@ -6665,6 +6700,7 @@ run_test "Non-blocking I/O: ticket" \
-c "Read from server: .* bytes read"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Non-blocking I/O: ticket + client auth" \
"$P_SRV nbio=2 tickets=1 auth_mode=required" \
"$P_CLI nbio=2 tickets=1" \
@ -6674,6 +6710,7 @@ run_test "Non-blocking I/O: ticket + client auth" \
-c "Read from server: .* bytes read"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \
"$P_SRV nbio=2 tickets=1 auth_mode=required" \
"$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \
@ -6685,6 +6722,7 @@ run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \
"$P_SRV nbio=2 tickets=1 auth_mode=required" \
"$P_CLI nbio=2 tickets=1 reconnect=1" \
@ -6694,6 +6732,7 @@ run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \
-c "Read from server: .* bytes read"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \
"$P_SRV nbio=2 tickets=1 auth_mode=none" \
"$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \
@ -6705,6 +6744,7 @@ run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Non-blocking I/O: TLS 1.3 + ticket + resume" \
"$P_SRV nbio=2 tickets=1 auth_mode=none" \
"$P_CLI nbio=2 tickets=1 reconnect=1" \
@ -6743,6 +6783,7 @@ run_test "Event-driven I/O: client auth" \
-c "Read from server: .* bytes read"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O: ticket" \
"$P_SRV event=1 tickets=1 auth_mode=none" \
"$P_CLI event=1 tickets=1" \
@ -6752,6 +6793,7 @@ run_test "Event-driven I/O: ticket" \
-c "Read from server: .* bytes read"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O: ticket + client auth" \
"$P_SRV event=1 tickets=1 auth_mode=required" \
"$P_CLI event=1 tickets=1" \
@ -6761,6 +6803,7 @@ run_test "Event-driven I/O: ticket + client auth" \
-c "Read from server: .* bytes read"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \
"$P_SRV event=1 tickets=1 auth_mode=required" \
"$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \
@ -6772,6 +6815,7 @@ run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \
"$P_SRV event=1 tickets=1 auth_mode=required" \
"$P_CLI event=1 tickets=1 reconnect=1" \
@ -6781,6 +6825,7 @@ run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \
-c "Read from server: .* bytes read"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \
"$P_SRV event=1 tickets=1 auth_mode=none" \
"$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \
@ -6792,6 +6837,7 @@ run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O: TLS 1.3 + ticket + resume" \
"$P_SRV event=1 tickets=1 auth_mode=none" \
"$P_CLI event=1 tickets=1 reconnect=1" \
@ -6824,6 +6870,7 @@ run_test "Event-driven I/O, DTLS: client auth" \
-c "Read from server: .* bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O, DTLS: ticket" \
"$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
"$P_CLI dtls=1 event=1 tickets=1" \
@ -6831,6 +6878,7 @@ run_test "Event-driven I/O, DTLS: ticket" \
-c "Read from server: .* bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O, DTLS: ticket + client auth" \
"$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
"$P_CLI dtls=1 event=1 tickets=1" \
@ -6838,6 +6886,7 @@ run_test "Event-driven I/O, DTLS: ticket + client auth" \
-c "Read from server: .* bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
"$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
"$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
@ -6845,6 +6894,7 @@ run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
-c "Read from server: .* bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "Event-driven I/O, DTLS: ticket + resume" \
"$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
"$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
@ -11797,6 +11847,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
requires_certificate_authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
-p "$P_PXY delay_srv=NewSessionTicket" \
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
@ -11917,6 +11968,7 @@ run_test "DTLS proxy: 3d, FS, client auth" \
client_needs_more_time 2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "DTLS proxy: 3d, FS, ticket" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
@ -11927,6 +11979,7 @@ run_test "DTLS proxy: 3d, FS, ticket" \
client_needs_more_time 2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
@ -11937,6 +11990,7 @@ run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
client_needs_more_time 2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
run_test "DTLS proxy: 3d, max handshake, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \

22
tests/suites/test_suite_ssl.data
View File

@ -930,35 +930,35 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2
ssl_session_serialize_version_check:0:0:0:1:0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: session serialization: Wrong major version
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: CLI: session serialization: Wrong minor version
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: CLI: session serialization: Wrong patch version
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: CLI: session serialization: Wrong config
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: SRV: session serialization: Wrong major version
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:1:0:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: SRV: session serialization: Wrong minor version
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:0:1:0:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: SRV: session serialization: Wrong patch version
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:0:0:1:0:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: SRV: session serialization: Wrong config
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_SESSION_TICKETS
ssl_session_serialize_version_check:0:0:0:1:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
Test Session id & Ciphersuite accessors TLS 1.2
@ -2971,7 +2971,7 @@ depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBED
ssl_serialize_session_save_load:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: Session serialization, save-load: no ticket
depends_on:MBEDTLS_SSL_PROTO_TLS1_3
depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_PROTO_TLS1_3
ssl_serialize_session_save_load:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: CLI: Session serialization, save-load: small ticket
@ -3091,7 +3091,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_
ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: Session serialization, load buffer size: no ticket
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C
ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: CLI: Session serialization, load buffer size: small ticket
@ -3103,7 +3103,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_
ssl_serialize_session_load_buf_size:1023:"":MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_VERSION_TLS1_3
TLS 1.3: SRV: Session serialization, load buffer size
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SRV_C
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_SRV_C
ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3
Test configuration of groups for DHE through mbedtls_ssl_conf_curves()

33
tests/suites/test_suite_ssl.function
View File

@ -2093,7 +2093,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
TEST_ASSERT(original.ciphersuite == restored.ciphersuite);
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add);
TEST_ASSERT(original.ticket_flags == restored.ticket_flags);
TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len);
@ -2104,22 +2104,24 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
restored.resumption_key,
original.resumption_key_len) == 0);
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_EARLY_DATA)
TEST_ASSERT(
original.max_early_data_size == restored.max_early_data_size);
#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C)
#if defined(MBEDTLS_SSL_SRV_C)
if (endpoint_type == MBEDTLS_SSL_IS_SERVER) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
TEST_ASSERT(original.ticket_alpn != NULL);
TEST_ASSERT(restored.ticket_alpn != NULL);
TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn),
restored.ticket_alpn, strlen(restored.ticket_alpn));
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
}
#endif
#endif
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_CLI_C)
if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) {
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#if defined(MBEDTLS_HAVE_TIME)
TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time);
#endif
@ -2132,12 +2134,23 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
restored.ticket,
original.ticket_len) == 0);
}
}
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
TEST_ASSERT(original.hostname != NULL);
TEST_ASSERT(restored.hostname != NULL);
TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname),
restored.hostname, strlen(restored.hostname));
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
}
#endif /* MBEDTLS_SSL_CLI_C */
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_EARLY_DATA)
TEST_ASSERT(
original.max_early_data_size == restored.max_early_data_size);
#endif
#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
TEST_ASSERT(original.record_size_limit == restored.record_size_limit);
#endif